Are you running Splunk Free?

Saved searches that were previously scheduled by other users are still available, and you can run them manually as required. You can also view, move, or modify them in Splunk Web or in savedsearches.conf.

Was the data added to a different index?

Some apps, like the *nix and Windows apps, write input data to a specific index (in the case of *nix and Windows, that is the "os" index). If you're not finding data that you're certain is in Splunk, be sure that you're looking at the right index. See Retrieving events from indexes in the Search Manual for more information. You might want to add the os index to the list of default indexes for the role you're using. For more information about roles, refer to Add and edit roles with Splunk Web in the Securing Splunk Enterprise manual. For information about troubleshooting data input issues, see Troubleshoot the input process in the Getting Data In manual.

Do your permissions allow you to see the data?

Your permissions can vary depending on the index privileges or search filters.
See Add and edit roles in Splunk Web in Securing Splunk Enterprise for more information.

What about issues related to time?

Double check the time range that you're searching. Are you sure the events exist in that time window? Try increasing the time window for your search.

You can try a time picker value of All time for some part of your data, like a source type or string. This is one of the few ways to show events that have been erroneously timestamped with a future timestamp.

If you are running a report, check the time zone of the user who created the report.

Are you using forwarders?

Check that your data is in fact being forwarded. Here are some searches to get you started. You can run all these searches, except for the last one, from the Splunk default Search app. The last search you run from the CLI to access the forwarder. A forwarder does not have a user interface:

Are my forwarders connecting to my receiver? Which IP addresses are connecting to Splunk as inputs, and how many times is each IP logged in metrics.log?

If you need to see if the socket is getting established you can look at the forwarder's log of this in splunkd.log "Connected to idx=<ip>:<port>" , and on the receiving side if you set the log category TcpInputConn to INFO or lower you can see messages "Connection in cooked mode from src=<ip>:<port>

Are you using search heads?

Check that your search heads are searching the indexers that contain the data you're looking for. Read about distributed search in the Distributed Search Manual.

Are you still logged in and under your license usage?

If you have several (3 for Splunk Free or 5 for Enterprise) license violations within a rolling 30 day window, Splunk will prevent you from searching your data.

Note, however, that Splunk will continue to index your data, and no data will be lost. You will also still be able to search the _internal index to troubleshoot your problem. Read about license violations in the Admin Manual.

Are you using a scheduled search?

Your time range could be excluding the events. Search over all time to verify.

Are you sure the incoming data is indexed when you expect and not lagging? For example, indexing can lag for tens of minutes under certain conditions. If you run a scheduled search every 20 minutes, you might not see the most recent data yet. But if you run the same search 70 minutes later, the data will be there.

To identify a lag between the event's timestamp and indexed time, manually run the scheduled search with the following added syntax:

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »